Depending on who you ask, an Advanced Persistent Threat (APT) is either a nightmare scenario that keeps CSOs awake at night or just the newest security marketing buzzword. Let's take a closer look at what an APT really is and what defenses are available against them.
Ever since the term was introduced in the media, there have been numerous definitions of what an APT is. Perhaps the most hype-free definition is the one from NIST, which defines an APT as:
An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders' efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.
This definition should clear up a common misconception about APTs, as sometimes they are characterized as a purely technical problem, like a zero-day vulnerability. An APT is an attacker that has a clear objective, willing and able to employ multiple tactics ranging from simple social engineering to extremely complex malware, adapting them as needed in order to fulfill that objective. This stands in stark contrast to the garden-variety attacker that uses large-scale automated tools to identify and compromise what are essentially just targets of opportunity.
Another notable characteristic is the amount of resources available to these attackers, which is one of the reasons that they have been often defined as being state-sponsored. This association also creates the misconception that APTs are only used by foreign governments, but the truth is that there are other organizations that can fund the activities of these attackers, ranging from companies willing to engage in industrial espionage to organized crime rings.
Defending against an APT
With the deck apparently so heavily stacked in the attackers favor, how can you defend against an APT? First, before you can mount a credible defense against this type of threat, you need to cover the basics. According to the most recent Verizon Data Breach report, 96% of all breaches were not very difficult because some basic security practices were not in place. Proper password and authentication policies, patch management procedures, proper firewall and IDS configuration, and log review procedures are among these basic security practices that should be second nature to your organization.
The second step is to evolve your view of what you have to secure. These types of attackers are looking for your most valuable information assets, and you need to know what that information is, where it resides, who has access to it, why they have access and when they access it. Answering these types of questions should give you a clearer picture of what are the most critical pieces in your infrastructure that need your attention. This, in turn, can help you identify where to focus on when searching for anomalies in your logs and to properly prioritize when incidents occur.
Another step you need to take is to recognize the importance of users in your organization to protect your information assets. Several cases of organizations that have been victims of APTs began with socially engineered attack vectors. User security awareness at all levels of the organization is key in any information security strategy.
I am a technology specialist with over 10 years of experience performing a variety of corporate IT functions, including desktop and server operations, application development, and database administration. My latest role is in information security, focusing on multiple areas including log management and security incident investigation and response.